When I looked, prod differed from beta and dev. This could be as simple as a missed processing of vuln.xml. I re-ran the script, and the marked commits on prod then agreed with dev and beta. This situation reminded me of a past problem we had. I am not sure why this particular problem arose as identified by Abbe, but I am convinced of a new problem.

It’s not so much a new problem. It more like I am newly aware of the problem.

FreshPorts lists the commits which are affected by vulnerabilities. If you look at the commit history for a port, a black skull indicates that that version of the port is vulnerable. This information is stored in the commit_log_ports table, which looks like this:

This table indicates whether or not a given port (port_id) has an existing vulnerability (current) or a past vulnerability (past). This indicates whether the port page displays a black skull, or a white skull, respectively.